EXECUTIVE FOCUS: 2006 FIREWALLS • •INTRUSIONPREVENTION MANAGEMENT CESCNRL•ATVRS•CNETFILTERING ACCESS CONTROL •ANTIVIRUSCONTENT SECURITY SECURITY GOVERNANCE SECURITY CONTENTS 3

7 EXECUTIVE SUMMARY

9 ACCESS & ID MANAGEMENT CBR examines the impact that remote working and broadband connectivity have had on the demand for identity and access management technologies. 14 KEY PLAYERS

17 ANTIVIRUS CBR investigates the advanced methodologies and strategies that antivirus software, appliance and service vendors use to ensure their customers remain uninfected. 22 KEY PLAYERS

25 CONTENT FILTERING While attempts to eradicate spam appear to have had some effect, other email and content-based security threats have ensured that content-based threat management has stayed on top of the security agenda. 30 KEY PLAYERS

33 FIREWALLS CBR tracks the evolution of the firewall market into multi-function devices, and beyond. 38 KEY PLAYERS

41 INTRUSION PREVENTION The move from intrusion detection to intrusion prevention has prompted a wave of acquisitions and new product developments. 46 KEY PLAYERS

49 PATCH MANAGEMENT Patch Tuesday may have made patching systems a more regular occurrence, but that does not mean systems administrators can relax in-between. CBR reports on the importance of keeping systems up to date. 54 KEY PLAYERS

57 SECURITY GOVERNANCE The vast complexities of compliance look daunting, but in the context of IT the issue comes down to matters of reporting and of governance. 62 KEY PLAYERS

64 COMPANIES A-Z AND INDEX

2006 • CBR EXECUTIVE FOCUS Advertisement Feature TRUSTING IN SECURITY

The industry continues the journey “towards greater trust and confidence in computing.

Ed Gibson, Chief Security” Adviser, Microsoft UK

Four years ago, Bill Gates announced wide issue. As a result Microsoft is and code can be properly identified the launch of the Trustworthy working with industry and govern- and held accountable for their action. Computing initiative within Microsoft. ments to establish trust in a connected This accountability could take a num- It signalled a dramatic shift in the com- world. Nonetheless, we see it as our ber of forms, such as damage to per- pany’s mission and strategy, ensuring responsibility, as an industry leader, to sonal reputation, expulsion from a that building a trustworthy computing offer a framework for taking secure group or even conviction for a criminal ecosystem is a top priority. computing to the next level. Let me act. share some of the vision that Bill Gates Back then the most common security outlined at the 2006 RSA Conference There is no one piece of software, or threats used to be email worms, remote with you. single company, which can deliver this. unauthenticated attacks and denial of It has to be the result of federated service attacks. Today we see criminals The elements of a secure computing efforts between all members of the – and l do not differentiate them from ecosystem are four-fold: developing a industry. Microsoft is working with those in the real world – trying to trust ecosystem; driving engineering industry partners, sharing best prac- exploit new varieties of social engi- for security as an industry responsibili- tices and engaging with security neering, botnets and rootkits. Hackers ty; building simplicity for users; and, forums around the world in order to are taking advantage of software vul- providing a fundamentally secure plat- have a global view of the problems and nerabilities faster, and trying to infect form. solutions. Microsoft is part of a group computers before users have a chance developing what we call the Identity to install updates. Metasystem, an open and interopera- Developing a trust ecosystem ble architecture for protecting users’ The relentless criminal drive to profit identities. from manipulating IT has created an Trust is crucial to a productive comput- unprecedented threat which demands ing ecosystem. Millions of network the whole IT industry takes a new interactions are occurring every day Driving engineering for security as an approach to security. Rather than where people have limited or no infor- industry responsibility implementing security on top of sys- mation about the identity or trustwor- tem elements, the infrastructure has to thiness of the individuals, devices and The second element of the framework be ‘fundamentally secure.’ In short, software code on the other end of the is engineering for security across the security that’s built-in, not bolted-on. connection. It is where a breakdown of IT industry: security by design, security trust occurs that security risks begin. by default. One of the many initiatives Criminals do not care what operating we’ve been working on at Microsoft is systems or applications are being used, The ‘trust ecosystem’ will be an envi- the creation of an overall process that which makes IT security an industry ronment where those people, devices engenders thinking about the various threat models, and understanding what spent driving business value from IT. and disrupt company and government code to write and what privileges that Where you have many points of inte- computer systems – will find Windows code has. Some of this involves build- gration and management, you also Vista a more difficult platform to ing new tools that can do deep analysis have the potential points of failure. IT exploit. However, we also know that as of the code, and even prove its proper- professionals need their jobs to be eas- we are not the keepers of technology, ties. This is the Security Development ier, and developers need security con- criminals will be attempting to break Lifecycle, getting developers to write scious interfaces that enable them to through the walls, just as criminals fig- the security architecture as one of the write far less code. Home users need ure out new ways of breaking into first things they do. security that’s just done for them, auto- homes or banks. Thus, we will remain matically. ever vigilant and will continue to Specifically, at Microsoft, we require ensure our customers receive regular our internal developers to attend Microsoft has been making a number updates as the computing environment ongoing training in ‘writing secure of technology investments to achieve evolves. code’, with mandatory security this. We’ve built on the success of processes and security ‘checkpoints’ at Service Pack 2, which increased by an Not to be forgotten is the importance every stage of the development order of magnitude the resistance of of ensuring that people are equipped process. This new process, which was Windows XP to attack. The Windows with the relevant security knowledge. used for Windows Server 2003, result- Vista platform has been developed Microsoft has trained over three quar- ed in a 56% decrease in the number of with the highest attention to security ters of a million IT professionals and security bulletins compared with and will be the first client-based oper- developers on security best practices, Windows Server 2000. ating system to go through the and more than four hundred Microsoft Software Development Lifecycle that I employees hold Certified Information To protect against evolving security mentioned earlier. It will also include a Systems Security Professional (CISSP) threats, we’re building technologies number of security features such as a status. Microsoft is also a founding that provide layered defences against two-way firewall, User Account member of Get Safe Online, the UK’s , spam, spyware and phishing Control, BitLocker Drive Encryption first Internet security awareness cam- attacks that are secure by design, and and a new version of the Security paign for the general public and small by default (no action required by the Centre that will continually monitor business. user to engage security features). your security settings and tell you if We’ve also made important strides in your system is not in a secure state. These examples are the latest deliver- providing straightforward services and This is by design and default – turned ables of our vision of Trustworthy tools that enable customers to config- on. Computing. As an industry we face ure their systems correctly and keep numerous challenges in creating a trust them up to date. Microsoft's Windows AntiSpyware will ecosystem, but the rewards in doing so also be included in and are many. Business will be able to con- Significant progress has been made on be available as a standalone download tinue to embrace technology as a vital improving base level security across for customers using , tool for productivity, intelligence, com- organisations, and for individuals. Windows XP and Windows Server merce and communications. New Through Microsoft initiatives there 2003. We have renamed it Windows opportunities and competitive advan- have been 263 million downloads of Defender and expanded it to detect tage will emerge, especially those com- Windows Service Pack 2, 75 million and remove rootkits, keystroke loggers panies that can embrace the technolo- downloads of Microsoft’s Anti- and other forms of malware. Already gy that provides a secure computing Spyware Beta, two billion downloads Windows Defender has helped remove ecosystem. of Microsoft’s Malicious Software tens of millions of spyware packages Removal Tool, and over three billion for more than 25 million users. Microsoft is committed to making spammed messages a day blocked in products more secure, more reliable Hotmail. and more protective of user privacy. Providing a fundamentally secure The aim is to ensure that people are in platform control of their data, and Microsoft is Building simplicity for users; and, pro- cognisant of its critical role in provid- viding a fundamentally secure plat- Besides its technology investments and ing public safety, national security and form industry partnerships, the final element economic prosperity. I look forward to of Microsoft’s vision is through build- introducing you to our continued With the dramatic increase in criminal ing fundamentally secure platforms, developments in the future. threats facing business, it is not surpris- which offers the primary defence in ing that protection has become very tackling the growing risk of internet complex. There are a multitude of soft- security threats, e-crime and online ware products, architectures and user fraud. interfaces that an information security professional has to configure, update We know that hackers and other crim- and manage, when resources could be inals – whose goal is to steal, extort, EXECUTIVE SUMMARY 7

CBR welcomes you to this year’s Security Executive Focus with a brief overview of its motivation, scope and features.

One of the key themes that dominate this Security Executive Focus is consolidation. Whether it be consolidation in terms of merger and acquisition activity among key security vendors, consolidation of edge security functionality into universal threat management, or the consolidation of application patch data into regular updates, the preceding 12 months have clearly been one of sharpening focus in the security industry. It is hardly surprising. Despite solid investment in filling security holes across the industry, while improving the quality of security technologies, the IT industry as a whole faces a breadth and depth of security concerns never before experienced. As well as the now familiar virus, denial of service and spam threats, and good old white-collar data misuse, businesses now have to be more concerned than ever before with regulatory pressures that could mean the end of the business and even prison time for company executives. If that were not enough, businesses are also facing increased security threats from new technologies and business culture changes, such as demands from the workforce or company strategy to enable remote working, and managing the use of instant messaging and VoIP applications. An exclusive survey carried out by CBR indicated that these factors weigh heavily on the minds of IT decision makers, with 56.1% rating virus, denial of service and spam as their biggest security concern, 14.0% citing mobile and remote users, 12.0% white-collar data misuse, 10.4% compliance and regulatory pressures, and 5.5% emerging threats such as instant messaging. CBR’s surveyed the attitudes of 385 senior IT decision makers towards organisational and cultural developments and technology adoption trends. Unlike previous Executive Focuses, we have decided to intersperse the survey results throughout the report, rather than having a dedicated survey article. In this way, we hope to put the survey results in context of the latest trends in the key security segments. The security market itself has been broken down into seven segments, which are presented alphabetically. The report begins, therefore, with Access and ID Management, which examines the impact of a remote and mobile workforce. Next is an old favourite, Antivirus, which takes a look at the new technologies implemented by antivirus software, appliance and service vendors to keep ahead of virus writers. Meanwhile, Content Filtering inspects content-based threat management beyond anti-spam, and Firewalls tracks the evolution of the firewall towards multi-function devices. The wave of consolidation in the move from intrusion detection to intrusion prevention is considered, as is the continued importance of keeping system patches up to date, as well as the complexities involved in ensuring that security policies are in lockstep with compliance requirements.

Your feedback is as always most welcome: [email protected]

2006 • CBR EXECUTIVE FOCUS ACCESS & ID MANAGEMENT ACCESS & ID MANAGEMENT 11

Rik Turner examines the impact that remote working and broadband Border connectivity have had on the demand for identity and access management control technologies.

As the various sectors of edge security – In such a scenario, knowing exactly antivirus, anti-spam, intrustion detection who the person accessing the network is and prevention, content and web filtering becomes even more essential than it was – are converging onto single UTM boxes, on the LAN, where at least the likelihood core security, such as identity and access was that the person had been seen as management, has seen a flurry of they came into the building. Hence the activity, with new players coming into the newfound emphasis on ID and access field and existing ones being acquired. management. This sector is undeniably a hot one at the moment, and with good reason. ACCESS MANAGEMENT Enterprises great and small are going international, making them increasingly Access management focuses on the reliant on networks generally and the actual device requesting access to a Internet in particular for communication corporate network and is increasingly between their employees. referred to as network access control At the same time, the spread of (NAC). Since it deals with machine broadband connectivity, which last year identification and authorisation rather overtook dial-up as the principal form of than verification of a person’s identity, domestic access to the Internet in the it is networking vendors such as Cisco US, is fuelling the move towards and Juniper, as well as edge security teleworking. vendors like Symantec and McAfee, that Another milestone: in May last year, have offerings in this space. Microsoft is for the first time laptops outstripped also readying what it calls Network desktop PCs in US monthly sales in the Access Protection (NAP), a NAC retail channel, representing 53% of the enforcement platform it is building into overall total. Since less than 5% of the Vista and Longhorn versions of its laptops now ship without built-in WiFi operating systems. connectivity, the possibilities for getting Cisco was the first networking onto the corporate network from company to announce its intentions in somewhere other than the office are this area, unveiling an initiative called growing exponentially. Network Admission Control, whose So with remote workers, whether at acronym happens to be the same as the home or on the move, requiring access one now used to refer generically to all to the corporate network while corporate such technology offerings. NAC involves premises themselves are now spread integrity checking for devices requesting over many cities and countries, it is little access to corporate networks, which surprise that one analyst has estimated entails verifying whether they comply with that as many as 80% of corporate corporate security policy with regard to applications are now delivered over a versions of operating systems and the WAN rather than a LAN link. latest AV signatures. Juniper has since

2006 • CBR EXECUTIVE FOCUS 12 ACCESS & ID MANAGEMENT

come out with an offering, its Infranet WHAT IS YOUR PREFERRED SOURCE OF technology, which makes its routers the enforcement points, just as Cisco does ACCESS AND ID MANAGEMENT SOFTWARE? with its switches. Symantec bought heavily into NAC last year when it acquired Sygate, a pioneer of endpoint security that looked Server vendor 16.15% likely to be sidelined by Cisco’s entry into the market. McAfee, meanwhile, offers its Policy Enforcer software but, rather than competing with what it calls Operating system vendor 15.10% the “enforcement frameworks” such as Cisco NAC, Microsoft NAP or the Trust Network Connection (TNC) architecture from the Trusted Computing Group Systems management vendor 16.67% cross-industry initiative, it integrates with them all. Meanwhile, Canadian networking vendor Nortel has just launched its Best-of-breed player 52.08% Secure Network Access (SNA) switch as a complement to Microsoft NAP. Nortel now plans to put smart ports on its switches, routers and gateways to Source: CBR survey communicate with Microsoft’s RADIUS- based Network Policy Server and NAP clients for policy enforcement across both companies’ platforms. Packard spent the last two years building Security Assertion Markup Language a complete portfolio in this space (SAML), for instance. IDENTITY MANAGEMENT through acquisitions, which it rounded Microsoft’s most recent foray in the out with last year’s purchase of federated space came in September when it Identity management deals directly with SSO player Trustgenix, with all the acquired certificate management and who a person is. That goes for both the technologies it has gained predictably identity assurance software vendor corporate employee, in which case there being folded under the OpenView Alacris with a view to enabling companies will also be different levels and areas of umbrella. to deploy, manage and maintain an ID access depending on their role within the Oracle also entered the market last infrastructure based on smart cards. As organisation, and the individual from year with its acquisition of Oblix, adding chairman Bill Gates explained at the RSA outside the company. The latter can vary a generic ID management capability to its Conference last month, the company from someone granted guest access to hitherto Oracle-specific offerings and plans to enable the management of the Internet over a WiFi connection while gaining a customer base that included passwords and identities across multiple on company premises, to a person Coca-Cola, American Airlines, Cisco and websites as part of Windows XP and working on a long-term outsourcing GM. BMC also went shopping for SSO, Vista. Its InfoCard project will operate as contract, such as in marcoms or acquiring OpenNetworks, while CA in late a wallet in which ID and passwords will be technical support. Again, there will be 2004 bought Netegrity. stored, eliminating the need to remember things such outsiders can and cannot get multiple login details. to once they are granted a connection to MICROSOFT’S AMBITIONS Microsoft also revealed at RSA that it the network. intends to make AD the central location The latter activity tends to be the At the heart of an ID management for managing all ID and access within preserve of a different set of companies. infrastructure is a corporate directory, Longhorn, due out in the first half of next There are the authentication players such so it is only natural that, with its year. To do that, it will add the rights as RSA and VeriSign, public key Active Directory (AD) offering, Microsoft management, identity federation and infrastructure players like Entrust, and should perceive an opportunity to security certificate services from the single sign-on (SSO) vendors like expand further into the enterprise current Windows Server into AD. Imprivata, all the way through to market. Last year it released a It is interesting to note, in the context framework vendors such as IBM (with its description of its Identity Metasystem of all these companies’ ambitions, that Tivoli software), CA (with Unicenter) and architecture, proposing a seven-point when we asked our survey respondents, BMC (with Patrol), not forgetting more conceptual representation of digital “Who would you prefer to get your ID and recent entrants in systems management identity designed to enable companies to access management technology from?” like NetIQ. build an open, extensible ID system only 16% said their server infrastructure based on web services protocols. vendor (so look out IBM and HP), another M&A FEVER The idea is for individual users to be 15% said their operating system vendor able to join or federate their ID systems (Microsoft beware) and 16% their As ID management has grown in internally and externally – across the systems management vendor (CA and importance on the corporate agenda, so Internet – irrespective of what platforms BMC take note). The majority, 52%, said some of the bigger fish in IT have joined or technologies they are running within they would prefer a standalone, best-of- the fray through M&A activity. Hewlett- their company: Kerberos, X.509 or the breed player.

CBR EXECUTIVE FOCUS • 2006 14 ACCESS & ID MANAGEMENT

Key players

BMC Software (NAC) initiative was launched in OpenView Identity tomorrow be available BMC ramped up its ID 2003, initially with AV vendors Management Suite. directly from the operating management offering in January Symantec, McAfee and Trend system vendor itself. 2005 with the acquisition of Micro. The idea is for a laptop IBM French ISV Calendra, whose requesting access to a corporate Big Blue’s ID management play Symantec Java-based workflow and network to be interrogated as to is part of its Tivoli systems While a founder member of directory management the current state of its AV management framework, with Cisco’s NAC program and still technology makes it possible for signatures database, as well as Tivoli Identity Manager as the participating with its companies to create whether it has the latest patches automated, policy-based signature updates, Symantec applications to ensure security for its operating system. To date platform working across moved directly into policies are enforced across SSO 60 companies have joined the multiple databases, applications competition with Cisco last systems, web portals and PKI AV heavyweights to enable and systems. IBM has year by buying Sygate, an managed systems. BMC first some aspect of endpoint embedded a provisioning endpoint security developer bought into the space at the end security checking. Of course, engine for getting new with network access control of the 1990s when it acquired requires Cisco Trust Agents on employees started with the technology of its own, based New Dimension, a user the endpoints, as well as correct access rights and on clients’own end devices provisioning software developer. upgrades to the IOS operating changing those rights as their talking to a server in the Some analysts question BMC’s system running on all the responsibilities change within network. After Cisco threw its vision in ID management, Catalyst switches on the the organisation, plus self- hat into the ring, Sygate however, arguing that a clear corporate network, and it will service interfaces for users to began to tout its ‘universal’ understanding of the value of not work across other switching perform password resets and NAC – since its system runs service oriented architectures is gear. Still, with its market share synching. IBM bought its with any switching fundamental to play in the in enterprise switching, the provisioning technology with infrastructure – a theme its market in the long term. networking giant can afford to the acquisition of Access360 new owner has taken up. In be proprietary in this respect for in 2002. February Symantec unveiled CA the time being. the NAC Enforcer Series of The company formerly known as NetIQ rack-mountable appliances to Computer Associates is credited Hewlett-Packard Without having a specific talk to clients at branch with a clear view of where it Hewlett-Packard has been portfolio called ID management, offices, home worker wants to be in ID management accused of being too much of a NetIQ clearly addresses a lot of premises or in hotspots. thanks to its $430m acquisition, soup-to-nuts company, the issues involved with its at the end of 2004, of Netegrity, offering everything from offerings in security and Trusted Computing which was a high-profile Superdome super-computers to configuration management, as Group developer of user administration printers and iPaqs. Still, in well as in operational change TCG, which has among its and access management enterprise software, and control. In particular, it has a set members the likes of Juniper, applications for both web particularly in ID management, of tools for Active Directory Nortel and Intel, is designed services (TransactionMinder) HP has kept pretty focused, administration, enabling the to promote “open, vendor- and web-based (Identity Minder acquiring first the Select Access management of what it calls neutral, industry standard Web Edition) environments. It business from moribund identity repositories, as well as specifications,”and as such it folded the Netegrity suite of Baltimore Technologies in 2003 provisioning through has its own standards-based products into its eTrust security for ID management on a automated user lifecycle NAC proposal called Trusted portfolio, and what the analysts corporate network, then in the management. The concerns Network Connect (TNC), particularly liked at the time was following year buying TruLogica here are twofold, however. First, involving a secure chip, the the fact that the acquisition for user provisioning. In 2005 it NetIQ is Windows-specific, Trusted Platform Module jumpstarted CA on the SOA road cut a deal with Trustgenix for which precludes it from mixed (TPM). It is worth noting that, with regard to ID management, federated ID, extending the environments where user after much badgering by something which was Select Access capability out identity will need to be customers, Cisco and conspicuously absent from rival across the Internet. This year it provisioned to, say, Unix or Microsoft agreed at the end of BMC’s strategy at the time. went all out and bought Linux systems. Second, since 2004 to enable NAC and NAP Trustgenix. The three sets of Microsoft itself is ramping up its to interoperate, but have so Cisco Systems technology – now called Select offerings in ID management, far done relatively little to In access control, Cisco’s Access, Select Identity and there is a danger that what explain how that is actually Network Admission Control Select Federation – make up its NetIQ can offer today will going to happen.

CBR EXECUTIVE FOCUS • 2006 ANTIVIRUS ANTIVIRUS 19

Rik Turner investigates the advanced methodologies and Building strategies that antivirus software, appliance and service vendors use to ensure their customers remain immunity uninfected.

The antivirus (AV) industry is among the grown and daily email volumes head most mature sectors of IT security. Not towards the trillion mark, the nature of only have computer viruses been around malware has also evolved. Viruses were for a very long time, the modus operandi the preserve of so-called ‘script kiddies’ for dealing with them and the business who got a kick out of gumming up the model to support it have been established works and sending notification to since early on in the development of computer users that they had been viral threats. infected, complete with PacMan-like AV companies maintain a number of graphics of their hard drive’s progressive large operations centres across the destruction. Now the Internet is big globe, at which they monitor traffic on business, and so is malware. the Internet and watch for unusually high Whether for information about a user’s volumes in particular areas, from certain Internet activity, theft of intellectual IP addresses, and so on. If on further property, remote control of a machine as inspection they determine that the a ‘zombie’ to carry out mass mailing, or activity is abnormal and driven by simply to extort money from companies malicious code embedded in emails, with the threat of a denial of service they have a virus on their hands and will (DoS) attack, there is good money to write a ‘signature’ for it: a ‘picture’ of the made from such bad behaviour, and essential elements that make it work. that is even before we consider the That signature is then pushed out as development of spam. an update to copies of their AV software There is now a clear commercial already sitting on customers’ machines, incentive for virus writers to beat the AV whether individual computers in the vendors in the race to infect computers, a residential scenario or gateway servers fact to which the sheer proliferation, for businesses. Armed with the update to speed and sophistication of new virus its signature database, the software can attacks bears witness. The current look at traffic flows into the environment decade has seen the rise of the Zero-Day it is protecting and compare them with exploit, which is where a vulnerability in a the latest virus signature in order to pick given piece of system or application it up before it can wreak havoc. software has been detected and, usually, It is a good, simple methodology, and published, with a virus attack occurring while it relies on significant revenue to before the AV industry has had time to run the laboratories where viruses are write the signature. detected and signatures written, it also The need to protect against such guarantees vendors a steady revenue threats has led to talk of proactive rather stream from both the sale of the original than reactive security. For example, package and a year’s subscription to the intrusion detection software (IDS) has update service, and the annual renewals developed a proactive capability to as customers extend the protection the become intrusion prevention (IPS). arrangement offers. However, there is still concern among That said, the sector has been under users about empowering a system to considerable pressure in recent years. As block traffic because it thinks it looks the Internet’s worldwide user base has suspicious, obviously on account of the

2006 • CBR EXECUTIVE FOCUS 20 ANTIVIRUS

PREFERRED ANTIVIRUS DELIVERY METHOD security offerings, in both appliances and software aboard its networking gear. The most recent development from this relationship was in February, when Cisco 32.9% began offering Trend’s software on both its ASA appliances and branch-in-a-box 26.6% offering, the ISR.

14.62% AV AS A SERVICE

Another take on AV that has enjoyed 15.3% considerable growth in the last couple of years has been its delivery as a service rather than as licensed software. The argument for such an offering can be quite compelling: an enterprise customer can effectively have unwanted traffic hived off and dealt with even before it hits the corporate network. And if that goes Software Service Appliance for AV, it is just as logical for anti-spam. Unusually for any area of information security, the acknowledged market leader Source: CBR survey in this space is from outside the US, namely UK-based MessageLabs, although American company Postini runs it a close risk of false positives. In the same vein The entire AV software sector second. Meanwhile, Microsoft acquired the AV vendors have added behavioural comprises no more than ten names. the other challenger in the email security analysis and heuristics to flag suspect There are the Big Three (Symantec, services market, FrontBridge, last year in traffic, enabling them to quarantine it for McAfee and Trend Micro) who hold what was widely perceived as validation of more detailed inspection. the lion’s share of the market, with a the general strategy of the players in the second tier comprised of companies space. The UK also has a smaller player, APPLIANCES such as Sophos from the UK, Panda from BlackSpider, which has tended to expand Spain, F-Secure from Finland and into continental Europe, whereas Another recent trend in information security has been the rise of the appliance, which is symptomatic of how edge security as a whole – everything There is still concern among users about designed to keep the bad guys out of the network it is protecting – is undergoing empowering a system to block traffic because commoditisation. While we have not seen dedicated AV appliances per se, the it thinks it looks suspicious. sector has accompanied the trend, entering into agreements with appliance vendors to bundle its software onto their boxes and serve it with updates. Kaspersky from Russia. The last of these MessageLabs is attempting to crack the This raises an interesting aspect of has been making particular headway US market. the sector. AV is quite a labour-intensive in the market in recent years, most Most of the players in email services activity, in that you have to pay qualified recently thanks to an alliance with are now diversifying into ancillary people to carry out the monitoring Juniper, the main challenger to Cisco in services that are a natural extension of activity in your laboratories, then others the router market. their core business. They are all starting to write the signatures and ensure the The appliance has become just to offer web and IM filtering alongside signature database is up to date. One of another route to market for AV vendors email, Layer-2 encryption for outbound the upsides to being in the business, and, of course, as that market has email and archiving, which enables them therefore, is that the barriers to entry are developed, the larger players in AV have to speak to growing corporate concerns high enough that new entrants do not muscled in with unified threat around regulatory compliance, as well as crop up very often. management (UTM) offerings of their litigation support in the US. Companies building security own. Symantec and McAfee in particular It should be added that Microsoft has appliances, therefore, have without have adopted this approach in the last been edging into the security market exception had recourse to an established couple of years, whereas Trend Micro has generally, with AV as one of its target name in AV rather than attempting to opted for a strategic alliance with Cisco. areas, buying not one but two AV do it themselves. As a result, the list CEO Eva Chen says Trend, the smallest developers in the last three years (US- of suppliers of AV software on any of of the Big Three, was the natural choice based Sibari in 2005 and Romanian ISV the appliances coming onto the market for this partnership, because its two GeCAD in 2003). The operating systems tends to contain only a handful of the larger rivals are coming into competition giant has also just released a beta version usual suspects. with Cisco as the latter expands its own of its first anti-spyware offering.

CBR EXECUTIVE FOCUS • 2006 22 ANTIVIRUS

Key players

F-Secure spyware products will now ship now expanded from AV and acquisition of another Part of the second tier of AV as default on Juniper’s anti-spam into IM, encryption heavyweight ISV, Veritas vendors, Finnish F-Secure seeks firewall/VPN appliances. and archiving. Software. The logic here was to differentiate itself by focusing that the owner of Norton particularly on service providers, McAfee Microsoft AntiVirus could marry its which also compensates for its Symantec’s traditional rival in AV The OS giant has been growing products and channel with smaller budget for traditional has been through an identity its security portfolio for half a those of the market leader in channel development than its crisis over the last decade, decade now, offering firewalls, back-up and recovery larger competitors. It has changing from McAfee to ID and access management and, software, becoming a single shunned a move into own-brand Network Associates, then back most recently, acquiring two AV source for data management. hardware appliances for the to McAfee. The name change developers. It has also just beta Of course, that brings it into enterprise space, preferring came after it bought network tested Microsoft Anti-Spyware, competition with companies instead to enable partners to analysis market leader Network and while the traditional players such as EMC, while players like bring such products to market General, and while there was a in each of these spaces need not Cisco and Microsoft are with its software in them. logic to the acquisition, the expect it to compete head-on in upping their presence in its F-Secure hails from Finland, one VirusScan vendor never really every market niche they are in, it core market of security. Last of the spiritual homes of the exploited its Sniffer will seek to offer its security year Symantec bought mobile phone, and the Technologies division to the full products as add-ons to its endpoint security vendor Helsinki-based ISV claims a extent of its possibilities. It spun ubiquitous operating systems Sygate, putting it in the particular expertise in this area, it back out, returned to its and office productivity suite, network access control with Mobile AV packages for former identity and became which could squeeze them out. market, where both those Nokia’s Series 80 phones and for again a pure-play security Of respondents to our end-user companies have ambitions. the Windows Mobile platform. vendor. Among current survey, 33% said they would The company has also begun initiatives is the Clean Pipes consider buying AV from Trend Micro exposing rootkit-like digital program, designing carrier-class Microsoft, if the price was right The smallest of AV’s Big Three rights management (DRM) security infrastructure for service or if it was superior to what they has studiously avoided technologies in the wake of last providers to offer not just a WAN were currently running. coming into competition with year’s scandal with Sony’s XCP bitpipe to corporate customers its main hardware partner software. but a ‘clean WAN’, with unwanted Sophos Cisco in key areas such as traffic already removed on the This UK-based AV developer is network access control (NAC), Kaspersky inbound link. another ISV that aims to and been rewarded for it by Founded in 1997 and currently differentiate itself from the having its software bundled with 10 overseas offices, MessageLabs crowd of second-tier players. It onto the networking giant’s Moscow-based Kaspersky is very UK-based MessageLabs has kept to the business market, hardware. The latest much an up and coming force in pioneered the concept of with AV and anti-spam offerings development sees Trend’s AV and a name that crops up in delivering email security as a for enterprise and SME, and products on Cisco’s Adaptive conversation with a growing service rather than as a product, perhaps its greatest claim to Security Appliance (ASA) number of hardware vendors. recognising that the volume of fame is the breadth of its range and the Integrated This may be due to the fact that mail traffic going through coverage, there being Sophos Services Router (ISR) branch the Russian ISV is prepared to corporate servers, together with Anti-Virus versions for Windows, office box, but they had take a lower share of joint the increasing percentage of it Mac OS X, NetApp, NetWare, already been included last revenue in order to clinch deals that was complete junk, Linux and most versions of Unix. year on a blade with Cisco’s with important partners such as represented an opportunity to In February it claimed to have IPS technology for the Juniper and UTM vendor Finjan, offer capital expenditure discovered the first ever virus for Catalyst switch range. While it but it is clear the company backs reduction in exchange for Mac OS X, called OSX/Leap, has steered clear of launching up its aggressive competitive manageable operating expenses. followed two days later by a a NAC offering, the Tokyo, stance with technical clout. In Furthermore, with companies in second, OSX/Inqtana-A, which Japan-based ISV has been the case of the Juniper tie-up, sectors such as financial services spreads via Bluetooth. developing for the mobile Kaspersky was a convenient bound by regulation to archive market. Its most recent alternative to the router vendor’s all their email traffic, the removal Symantec offering in that space is a erstwhile partner Trend, now of spam before it hits the Symantec was already the 800lb version of its Mobile Security that the latter has tightened its corporate network means the gorilla of information security for Nokia’s Series 60 phones relationship with Cisco, and the overall archiving requirement when at the end of 2004 it running the Symbian Russian ISV’s AV and anti- is reduced. MessageLabs has embarked on the $13.5bn operating system.

CBR EXECUTIVE FOCUS • 2006 CONTENT FILTERING CONTENT FILTERING 27 Filtration device

While attempts to eradicate spam appear to have had some effect, other email and content-based security threats have ensured that content-based threat management has It was a little over two years ago that Microsoft stayed on top of the chairman Bill Gates predicted the end of spam. “Two years from now, spam will be solved,” he said. Maybe security agenda. he was misquoted. True enough, spam is a thing of the past for Kevin Murphy reports. millions of business email users. Filters are close to 100% effective at catching it, and most users only have to worry about false positives, maintaining white lists, and the occasional spam or phishing attack that slips through the cracks. While there is a long way to go, a combination of anti-spam law enforcement and technology does appear to be having a measurable effect. The amount of spam being sent is actually decreasing, as measured as a percentage of the overall mail volume. At the time of writing, 73% of email is spam, according to Postini, a hosted email security provider that processes about nine billion messages a month. That is down from about 88%, again by Postini’s numbers, in January 2005. Last year, even self-proclaimed ‘Spam King’, Scott Richter, one of the Internet’s most notorious bulk mailers, threw in the towel, although more as a result of legal pressure from Microsoft than the effectiveness of anti-spam technology. In July, he was delisted from The SpamHaus Project’s Register of Known Spam Operations, having cleaned up his act and kept it clean for six months. But spam is clearly still a big problem, and anti- spam software, appliances or services are still as much of a must-have for enterprises as antivirus

2006 • CBR EXECUTIVE FOCUS 28 CONTENT FILTERING

software. As such, it is becoming more priority for security companies that only autumn. Despite the flurry of activity, IM entwined with the rest of the security sell to enterprises, where phishing is not security technology is relatively mature. infrastructure, becoming a component of a major cause of concern. While people Almost all that remains now is for these a larger message handling fabric. can be phished while at work, examples companies to continue to enhance their of targeted phishing attacks that seek products to deal with IM attacks that we MULTI-LAYERED SECURITY access to corporate resources are still so far have not seen. hard to find, a fact reflected by the CBR A much more foetal industry, which Security giant Symantec, which has been end-user survey, which found that less emerged over the last couple of years but building and buying like crazy, in October than half of respondents said that they which is likely to get hotter over the next claimed to be the first to offer email think phishing could compromise their 12 to 24 months, is the market for security at every tier of the infrastructure company’s critical data. Over 57% said reputation services. and with all the major deployment that they did not believe it could. A couple of years ago anti-spam models. The company’s Mail Security A typical anti-phishing offering companies started recognising that you Enterprise Edition bundle can comprise targeted at consumers is all about can get a pretty good read on whether an mail filtering at the desktop, the SMTP alerting the user to the fact that the incoming SMTP connection is likely to gateway, the mail server, or out in the site they are visiting may not be send you spam just by the IP address of cloud, and can be deployed as software, trustworthy. For example, Microsoft has the source. You can save a lot of an appliance, or a hosted service. The built anti-phishing directly into Internet bandwidth by just denying the connection acquisition of Veritas Software, whose Explorer 7, currently in beta testing and at the TCP/IP level, before the mail catalogue includes a line of message due for release towards the end of the is even sent, if you have a fairly high level archiving offerings, seems likely to lead year. The service will send every URL of confidence that the IP address is to more integration of content filtering the user visits to Microsoft, where it will owned by a spammer or belongs to a into the general IT infrastructure. be checked against a list of known compromised host. This is source-based

Archiving, encryption and back-up are phishing sites (privacy concerns will likely filtering, as opposed to the content- areas most of the major anti-spam limit adoption). based filtering that many anti-spam players are targeting, particularly the In the enterprise space, vendors such technologies rely upon. hosted service providers, mainly to as CipherTrust and VeriSign have decided address some customers’ needs to that the better revenue opportunity is AUTHORISATION CHECKS comply with data security, retention and in helping companies to protect their financial control regulations. Companies brand and their technology resources. This type of technology is likely to in the anti-spam space are currently also CipherTrust’s service helps firms become increasingly popular as more very interested in entering new markets understand whether their IP addresses people start implementing relatively new by bolting on features to tackle less well- are behaving in an untrustworthy manner, email sender authentication technologies addressed problems, such as instant a possible indicator that they have been such as Sender Policy Framework, the messaging security and phishing compromised, and whether the company’s Microsoft-backed Sender ID Framework In the web content filtering space, the domains are being used in phising attacks. (SIDF) and the Yahoo/Cisco-led merger of Secure Computing and Some specialist security companies DomainKeys Identified Mail (DKIM). CyberGuard was arguably the most have been talking about instant These specifications make it very easy for significant business event of the last 12 messaging security for a long time, but email recipients to check whether an months, creating a new powerhouse in it is only recently that the market has email from example.com was actually URL filtering, coming dangerously close been getting some serious attention. sent by a server authorised to send email to catching up with leader Websense, if The next year or two will likely see the for that domain. not in terms of revenue then certainly in major public IM networks, run by AOL, It is not a great deal of use by itself – the number of licensed users. Yahoo and Microsoft, tying up and spammers can authenticate themselves Technologically, anti-spam and anti- becoming interoperable, making the and will still be spammers – but when phishing technology represent the point medium a more attractive target for combined with a reputation service that of convergence between web and email malware writers. tells you whether a given domain or IP filtering: after all, the basic mechanics of Trend Micro got into IM security last has a track record of bad behaviour you an attack requires a web URL to be sent summer. Postini launched into the space get a helpful variable to take into account in an email. And it was last year that in September in an OEM partnership with in your filtering decision. These types of phishing began to be seriously addressed IMLogic, since acquired by Symantec. services are already available from the by the market, with most of the CipherTrust launched IronIM in October, likes of CipherTrust and IronPort, but consumer-facing security companies Fortinet added IM support to its unified adoption of SIDF and DKIM – currently starting to offer some way to help defeat threat management offerings in February. believed to be in the region of a million this type of fraud. MessageLabs added IM support to its domains – may result in new and But it would probably be incorrect to hosted service in January, having enhanced reputation services that could say that anti-phishing features are a huge acquired Omnipod for that capability last in turn lead to a reduced spam problem.

CBR EXECUTIVE FOCUS • 2006 30 CONTENT FILTERING

Key players

CipherTrust whitelisting service last April. content filtering market when it primarily inspired by the need CipherTrust is the IDC market Having carved out a nice slice of bought rival CyberGuard after a to improve host intrusion share leader in the secure the enterprise market, the long courtship. CyberGuard had prevention, also got it an content management appliance company has now expanded started competing with Secure’s anti-phishing browser plug-in category, taking about a quarter into the small and medium-sized SmartFilter in the URL filtering capability. of the expanding appliance business market. space when it acquired market, and is attempting to stay Germany’s Webwasher over a Trend Micro ahead of the game on the Microsoft year earlier. When the Trend Micro signalled how technological front, introducing Microsoft is the Internet’s spam acquisition closed in January, seriously it is taking the a number of new products and police force. More than any law the company had about 21 anti-spam and web content enhancements over the last 12 enforcement agency, and million licensed seats, making it filtering market when it broke months. The company is certainly more than any other second only to Websense’s with 15 years of tradition and aggressively pushing its company, Microsoft has 23.9 million. actually made an acquisition, reputation service, aggressively pursued spammers buying Kelkea, the company TrustedSource, has launched in the courts, securing penalties Sophos that formed to commercialise into instant messaging security and enforcing bankruptcies. It While best known for its the 10-year-old Mail Abuse and email encryption, and even even managed to squeeze $7m antivirus expertise, Sophos Prevention System, the signed a deal to pilot mail out of former top-three recently took a first step into the granddaddy of real-time security for Research In Motion’s spammer Scott Richter, where appliance market with an email black-hole lists. Trend, which BlackBerry services. New York’s attorney general, security device that guards has been OEMing Postini’s Eliot Spitzer, had only managed against virus, spam and policy software for a number of Fortinet to extract a paltry $50,000. The abuse. The new general- years, is using MAPS to Fortinet, maker of unified threat company bought FrontBridge purpose ES4000 unit is said to provide its products with a management appliances, sold Technologies last summer, be the first in a planned series of source-based filtering $100m of devices, subscriptions entering the managed email appliance launches, with component, and has also and software licenses last year, security service provider space. separate versions targeted at hinted that it will use the increased its annual revenue In addition, it has built a the needs of small businesses system in web filtering 60%, and was named leader of “computational proof” and big business slated to offerings. its market by a leading analyst technology into Outlook in an follow. A combined web security firm. Not bad for a privately held effort to make bulk-mailing and instant messaging Websense company not yet six years old. strangers too computationally appliance is also on the cards, as Websense grew its revenue by The company broke out its URL intensive to be economical. is a new endpoint security a third and its income by half filtering, anti-spam, intrusion offering in the form of a version in 2005, as the company prevention and antivirus Postini that brings antivirus, client continued to leverage its URL components into separately Postini, one of the leading firewall, spyware and adware filtering market leadership licensable subscription modules providers of email content protection to the desktop in a to push related add-on in the middle of 2005, and security as a managed service, consolidated product. products such as client caught the convergence did not break out its customer application control. The between web and email content numbers for 2005, but has said it Symantec company saw 58% of its filtering – admittedly later experienced a 60% increase in Symantec is the giant of the customers take on an extra than some competitors – with the volume of email it processes security industry, and it now service at the end of the year, new embedded URL-based and said it has an over 95% offers all the pieces for a compared to 50% in the spam filtering toward the end of customer retention rate, which comprehensive enterprise fourth quarter of 2004. the year. gives a clear indication. The anti-spam infrastructure. The Websense had almost 24 company has long recognised company sells software and million installed seats at the IronPort Systems that it could not indefinitely sell appliances for the SMTP end of the year, narrowly IronPort, which is preparing to its services based on the anti- gateway, the mail server, the maintaining its market go public this year, says it grew spam capabilities alone, and last desktop and also offers a hosted leadership in the face of the 67% last year. The company is year saw it update its services managed service for those who merger of Secure Computing one of the pioneers of the mail with archiving, back up, want their spam blocked before and CyberGuard. The firm’s security appliance space, was encryption, and a partnership it reaches the corporate annual refresh of Websense among the first to focus on with IMLogic (now owned by network. Its acquisition of Enterprise 6 saw the company source-based filtering as a way Symantec) that saw it address IMLogic at the start of the year upgrade its reporting and to block spam and save instant messaging security. sends the clear signal that the alerting capabilities, as well bandwidth, and looks set to be a company plans to merge instant as introducing new player in the reputation service Secure Computing messaging security into its functionality for managing space, despite offloading its Secure Computing leapfrogged lineup. Likewise, its acquisition content filtering on remote non-core Bonded Sender into second place in the web of WholeSecurity, while and roaming laptops.

CBR EXECUTIVE FOCUS • 2006 FIREWALLS FIREWALLS 35 All things Rik Turner tracks the evolution of the firewall market into multi-function to devices, and beyond. all men

Two recent developments are indicative Michio Kaku, a professor of the OS on the box for greater security – of the current state of play in the firewall theoretical physics at the City University and finally find their way into other pieces market. In February, BlueCat Networks, of New York, says technologies go of kit such as switches and routers. a Canadian developer of domain name through four stages of development, Firewalls have already been through all system (DNS) and dynamic host although not all technologies make it three of these phases, with major names configuration protocol (DHCP) server through all four. First is many-to-one, coming to the fore at each stage. Check appliances, made much of the fact that, where there are many people for one Point was arguably the leader in the first, in the latest version of the firmware piece of technology, a stage in which relying on Nokia to put its Firewall-1 driving its boxes, it had added a MAC trains will always remain. Then there is software onto its boxes and market them authentication capability to run even one-to-one, in which each person has one worldwide. The second has a plethora of before a device is assigned a routable IP example of the technology: a stage the contenders such as SonicWall and address. Almost as an afterthought, it car, at least in developed economies, is Barracuda; while in the third there is mentioned that it had thrown in a firewall rapidly approaching. Cisco, offering its PIX firewall as a blade for protection against zero-day exploits. Then comes one-to-many, where a on its Catalyst switches. In the same month, mobile phone person has many pieces of the same The signs from the BlueCat and Sony manufacturer Sony Ericsson launched technology, which is where computers, Ericsson announcements are that two new smart phones which, in addition from the desktop to the laptop to the firewalls are also moving into a fourth to cameras, email, media players and smart phone, are now going. Finally, the phase. In the case of the DNS/DHCP multiple forms of memory, also come technology itself disappears, as Kaku appliance vendor, the firewall is not with Firewall Mobile and VirusScan puts it, “into the fabric” of life, which is actually licensed separately. It simply Mobile, both from security vendor where computing looks set to go with ships as default with the platform, just as McAfee. The two software packages RFID, smart cars and building it does with the Juniper SSG. are available on a month’s free trial, automation. That is also where firewalls In addition to network firewalls from after which they are subject to annual appear to be headed. vendors such as Check Point/Nokia and licence fees. Another timeline for network Cisco that this article has focused on so Firewalls are becoming ever more applications sees them start life as far, another area of development is in pervasive, as an increasing number and software that the end user loads onto a application firewalls: those that operate variety of devices are networked, from server, then become dedicated up at Layers 4-7 to block attacks in consumer products in the digital home to appliances – where the vendor has done protocols such as HTTP, HTTPS and FTP. weapons on the battlefront. the loading and has usually ‘hardened’ “We can operate at the network layer too,

2006 • CBR EXECUTIVE FOCUS 36 FIREWALLS

WOULD YOU CONSIDER BUYING A UTM DEVICE? IF NO, ARE YOU CONCERNED BY THE POTENTIAL FOR THE UTM TO BE A SINGLE POINT OF FAILURE? launched at the end of 2004, foreshadowed a trend which has really Yes taken off in the intervening period, 73.5% No namely the branch-in-a-box (BiaB) device. 26.5% While UTM appliances offer the simplicity of multiple security functions on a single piece of hardware, all running on a common, hardened operating No system (usually Linux), BiaB devices go a 19.6% stage further, adding a router into the equation. They are positioned as all a branch office needs in terms of security and WAN connectivity, and some may even include an Ethernet switch for the branch LAN too. A firewall is obviously an integral part Yes of such an offering, and the ISR ships 80.4% with the IOS software firewall on the box as default. A start-up, NetDevices (NetD), last year launched its BiaB offering, which Source: CBR survey it calls the SG8 Unified Services Gateway. It claims as its differentiator the fact that but mostly people buy us for the over the last three or four years they there is no degradation of the routing application layer,” says Andrew Clarke, have gone further, bundling a number of capability as each additional piece of vice president of international marketing other security packages for a multi- functionality is turned on. for one of the vendors in this space, function proposition. Ironically, for what started out as a Secure Computing. Research firm IDC coined the term router plus multiple security functions, Secure Computing gained a whole lot universal threat management (UTM) as NetD quickly found that many customers more weight in the security category after it merged with one of its competitors, CyberGuard, in August last year. Both companies make application proxy- Branch-in-a-box devices are positioned as all a based firewalls. They also both sell web- filtering software, or ‘secure content branch office needs in terms of security and management’ as it’s now known. The combined company became the second- WAN connectivity. largest SCM company measured by installed seats after their merger, according to Secure Computing. Describing itself as able to secure the category for these devices, and it has wanted the box, but asked for the router connections between people, stuck, not least because successive to be turned off, because they wanted to applications and networks, Secure vendors like to trumpet the fact that IDC run it as a UTM device in front of their Computing claims its SmartFilter and named them number one in UTM for the existing Cisco router. The company Webwasher Secure Content Management year 200x. obliged and now ships versions with the suite can help companies manage Vendors of software-only products router included and de-activated, the important bandwidth and maintain snipe at appliances, and in particular the logic being that, whenever it comes time employee productivity, crucially enabling multi-function variety that promise a to replace their old Cisco router, there is them to manage their Internet usage plug-and-play deployability combined the option of simply turning on the router policies and reduce legal liabilities. with an all-in-one-box approach to sitting inside the SG8. network security. Users appear receptive, In February this year Cisco’s archrival ENTER THE UTM however. According to CBR’s end-user in the high-end routing market, survey, 74% of respondents said they particularly carrier routing, Juniper Aware of the changes going on around would consider buying a UTM device. Networks, joined the fray with its Secure them, the firewall appliance vendors Cisco’s Catalyst switches loaded with Services Gateway. This device has a have also moved on. Having always its PIX firewall on a blade typify the trend firewall and multiple other security offered VPN concentration on their for the security product to become part of functions along with a router and signals boxes – so much so that they are often a network element. The company’s Juniper’s attempt to grow in the referred to as firewall/VPN devices – Integrated Services Router (ISR), enterprise market through branch offices.

CBR EXECUTIVE FOCUS • 2006 38 FIREWALLS

Key players

Check Point Software 1 products to be among the certainly deserves a mention. international marketing for Technologies technologies integrated into the Nokia provides the appliances, the company, said that in the This American-Israeli company X-Series appliances from operating systems and various longer term they will established its prominent CrossBeam. network and systems converge. The G2 has already position in the enterprise management capabilities, while made the transition to UTM firewall market in the mid-1990s Fortinet Check Point provides the functionality, Secure having with its widely used Firewall-1 Fortinet pretty much made the firewall and VPN software for added AV, URL filtering and product, for which it relied running in UTM for a couple of the appliances. It’s a relationship IDS/IPS to the device’s heavily on Nokia (and to a years with its FortiGate series of that is mutually beneficial, to say FW/VPN capabilities. Clarke lesser extent Nortel) to integrate appliances, all of them running the least. acknowledged that it would it onto its hardware and on an ASIC designed by the For the second quarter of 2005 be a logical step to integrate market it worldwide. Since then company. It touts this feature as IDC said Nokia had 11.1% of the into the TSP firewall the it has broadened its offering a significant differentiator, in security appliance market. Webwasher content with a multi-function appliance that it claims to have engineered “Nokia exhibited the strongest security offering CyberGuard for the smaller business, as well in fast packet inspection annual revenue growth of the came by via the acquisition of as acquiring market leading capabilities from the silicon up top 5 revenue vendors with the eponymous German ISV personal firewall vendor Zone to mitigate the performance hit 40.7% growth,”IDC said. in 2004. Labs for the desktop space. Its that multiple security functions Oliver Harcourt, senior research latest move has been to team inevitably entail. analyst for IDC's European SonicWALL up with authentication The company suffered a setback Enterprise Server research team, Another challenger in the heavyweight RSA for a bundled last year, however, when it noted: “Vendors, resellers, UTM market is SonicWALL, offering of the latter’s SecureID received a cease-and-desist customers, and service which made its name in the token technology and Check order from the US International providers increasingly utilize lower end of the market and Point’s Conectra SSL VPNs to Trade Commission after AV appliances to deliver security still has the image of a supplier secure remote connections to vendor Trend Micro accused it of because of the benefits they to SMB with its PRO and TZ corporate networks. patent infringement, although it offer in terms of performance, series of firewall appliances, claims to have delivered a convenience, and cost.” which are now going UTM. Cisco Systems workaround on the product line Rather than trying to move up By virtue of its reach in the affected by the case. Secure Computing into high-end enterprise, the switch and router markets, While the likes of Check Point company has adopted a Cisco is uniquely placed to upsell Juniper Networks and Cisco fight it out in the area strategy of broadening its customers with its security Juniper is the most successful of network-layer firewalls, portfolio so as to offer the offerings, which while it offers challenger to Cisco in either of inspecting traffic at Layers 2 and SMB more products. them as standalone appliances its core businesses – switching 3 of the OSI stack, there is a To this end it has been for the sake of choice, are and routing – having taken on separate set of vendors who engaging in M&A activity, always available as modules to networking’s 800lb gorilla and market what are now referred to buying companies in back-up fit into its networking gear. Its won around 30% of the high-end as application firewalls, in that and restore technology PIX firewall actually pre-dates carrier routing market. Having they primarily address Layer 7 (Lasso Logic) and SSL VPNs the company’s more focused achieved that status, it spent (or in reality Layer 4-7). (enKoo) in November and, in push in security as one of its $4bn in 2004 to acquire These devices used to be called February, adding MailFrontier, Advanced Technologies, which NetScreen, which by then was a application proxies because of a vendor of email security are businesses in which Cisco serious challenger in the firewall the way they worked, and it was appliances. sets itself the goal of reaching market thanks to its adoption of at that time that both Secure $1bn annual revenue. Security the appliance strategy. The two Computing and CyberGuard, WatchGuard was also the first of the group to product lines still run on the rival security vendor it Technologies achieve that goal. different, proprietary operating acquired in 2005, got into WatchGuard is even more systems, but it has began the market. SMB-focused than SonicWALL CrossBeam Systems endowing ScreenOS with some They both have appliances in and Fortinet, competing CrossBeam has an interesting of the key routing capabilities of this area, Secure Computing’s primarily in what IDC refers to business model in UTM, offering JunOS. This year the company being the Sidewinder G2 and as the $1 to $999 segment of a chassis with a backplane, delivered the first merged entity. CyberGuard’s the CyberGuard the threat management which it calls a UTM switch, for TSP. While the two companies security appliances market. other vendors to deploy their Nokia have become one, the product Its flagship products are the technologies into for the high- Nokia may not make firewall lines for now remain separate, Firebox UTM range, which end enterprise and service software of its own, but as the due in part to the fact that they goes from a SoHo box, provider markets. It has, for second biggest security still have separate development through a wireless device up instance, a deal with Check Point appliance vendor after Cisco teams working on them, to an SSL VPN gateway with a for both Firewall-1 and the VPN- according to IDC figures, it although Andrew Clarke, VP of range of optional extras.

CBR EXECUTIVE FOCUS • 2006 INTRUSION PREVENTION INTRUSION PREVENTION 43 Intruder The move from intrusion detection to intrusion prevention has prompted a wave of acquisitions and new product developments. alert Kevin Murphy reports.

It is now just under three years since an Internet Security Systems, one of attractive targets, but the larger deals influential security analyst at Gartner the pioneers of the IDS space, was were between the older, more established published a paper that quickly became thrust into IPS a few years ago, and NIPS firms. known as the ‘IDS is Dead’ report. The now has one of the more comprehensive There were two big acquisitions during paper acted as a catalyst for a IPS catalogues, having heavily focused 2005. 3Com finalised its $430m fundamental shift in the R&D and on that space over the last two years, purchase of TippingPoint in January, and marketing priorities of intrusion detection sometimes to the detriment of other made the new business a cornerstone of systems makers, which quickly switched products. its turnaround strategy throughout the to taking a more proactive and The company tells us that customers year. TippingPoint kept its name and has preventative approach to IDS. buying its Proventia appliances and then been pushing its new vulnerability In that time intrusion prevention deploying them in a purely passive IDS research service, in which it will pay systems have gained mind share and style are becoming less common. Most white-hat hackers for vulnerabilities they market share. While IDS products are IPS products on the market have some find, in order to give its customers early still very much in use, according to CBR’s kind of simulation and/or detection-only access to the latest threat protection. end-user survey about 46.5% of deployment option, mainly so Then, in October, Check Point Software respondents have now implemented an administrators can fine-tune the filters Technologies said it would buy Sourcefire, IPS that sits on the network, in the without disrupting traffic too much. the company set up to commercialise the middle of the data flow, and has the “What we’re seeing is that IDS, from a open source Snort IDS software, for ability to block intrusions, rather than network perimeter standpoint, is $225m. At the time of writing, that deal just detecting them. becoming less of an issue... inline had been approved on competition The market has divided itself into simulation and traditional IDS is less of grounds but was still being reviewed by roughly two categories, host intrusion a deployment choice now,” Mark Butler, the US government for compliance with prevention systems (HIPS) and network director of product marketing at the national security regulations, as Check intrusion prevention systems (NIPS). A company, told CBR recently. Point is based overseas. third acronym, NADS, for network Of the respondents to CBR’s end-user It is a pretty important deal for Check anomaly detection systems, is also survey that had deployed an IDS with Point, which has been a market leading gaining recognition. Much like antivirus inline prevention features, 90.4% had firewall software vendor for many years and firewalls before it, IPS can also be turned the blocking features on. Part of but has somewhat lagged competitors bought as more of a component of an the reason for this acceptance is when it comes to IDS and IPS. overall threat management system as increasing confidence in IPS among Sourcefire, formed in 2001, maintains well as a standalone product. network administrators, who are often the Snort engine, which has been IPS is one of the requisite features of separate from the security downloaded millions of times and is the multi-function security devices administrators, according to Butler. incorporated in a wide variety of network becoming known as unified threat As adoption increased, the market security products. The company also has management on the network side. On the entered a phase where vendors bulked OEM partnerships with the likes of host side, IPS functions are often now up their product lines with in-house Crossbeam Systems. Sourcefire in included in multi-function client security development and acquisitions. A number November was also behind the formation software along with antivirus and firewall. of young HIPS firms started to look like of the Open Source Snort Rules

2006 • CBR EXECUTIVE FOCUS 44 INTRUSION PREVENTION

malware so new that antivirus companies HAVE YOU IMPLEMENTED AN IDS WITH INLINE have yet to push out signatures to detect it. A typical WholeSecurity deployment PREVENTION FEATURES? IF YES, HAVE YOU would complement an SSL VPN network, scanning the client for suspicious TURNED ON THE PREVENTION FEATURES? behaviour before allowing connectivity. For Symantec, that acquisition was a technology play. The behavioural Yes functionality will be integrated into 46.6% products across the company’s catalogue. It also nicely complemented Yes the network access control software that 90.4% Symantec picked up when it acquired No Sygate in August. Following that deal, 53.4% Symantec started working on its own NAC network devices, which it plans to release this April. McAfee, too, which redefined itself as an intrusion prevention company in 2004, released a number of upgrades to its acquired HIPS and NIPS packages during No 2005, mainly aimed at preventing 9.6% specific types of attacks. For example, its Entercept host software gained features CBR Source: survey for preventing USB device attacks, while its IntruShield network appliance gained the ability to detect and block botnet Consortium, a community effort to bought NetScreen Technologies a couple communications from compromised maintain a database of Snort intrusion years back. That said, it took Juniper hosts. More recently, the company rules, reducing the amount of duplication some time to realise the kind of serious unveiled its Policy Enforcer, which that goes on in the creation of rules. NetScreen synergies that will help it integrates with its ePolicy Orchestrator Check Point’s previous efforts in IPS compete with Cisco in the enterprise management tool to give companies a mainly come under the InterSpect networking market. It was just this NAC-like system for quarantining hosts internal firewall brand, but when it February, almost two years after the deal that do not comply with security policy. closes the Sourcefire deal it is expected closed, that the company released the While it is not technically IPS, the NAC to start integrating the Sourcefire Secure Services Gateway, an enterprise space looks set to be the next software into its internal and perimeter security products. The deal will certainly help Check Point compete with its old rival Cisco Increasingly, intrusion Systems, which got into the NIPS space a prevention is being year ago, when it added prevention features to its old IDS software, and pitched as a suite that called it IPS 5.0. Cisco offers the product as a standalone appliance, or as a sits at the edge, on the software module for its popular Catalyst switches. This is in keeping with the internal switches, and company’s long-term vision of the “self defending network”, in which security is which penetrates into not added to the network as an the host itself. afterthought, but rather comes as an intrinsic component of networking gear. Whether that strategy plays out will depend on whether companies are router with all the firewall, VPN and IPS battleground for the IPS industry, comfortable with the one-stop shop, or stuff built-in. particularly with the 2006 release of prefer to go best of breed. On the software side, some of the Windows Vista, which promises But the vendors have not stopped at leading security companies have been Microsoft’s own take on NAC, Network the network perimeter. Increasingly, focusing largely on the host. Symantec in Access Protection. If the move from IDS intrusion prevention is being pitched as a September bought privately held to IPS saw vendors taking a more suite that sits at the edge, on the internal WholeSecurity, a maker of HIPS software proactive approach to defending switches, and which penetrates right to that detects malicious behaviour on networks, then NAC could be seen as the host itself. client computers. The selling point was more proactive yet: you are not just Cisco, in turn, was playing catch-up to that detecting behaviour, rather than preventing intrusions, but actively Juniper Networks, which got a major specific files or processes, often enabled mitigating the risk of successful head start in intrusion prevention when it protection against zero-hour threats: intrusions compromising assets.

CBR EXECUTIVE FOCUS • 2006 46 INTRUSION PREVENTION

Key players

3Com (TippingPoint) its Cisco IPS 5.0 software. The functions it acquired when it realise the importance of 3Com was floundering, and its technology was based on is still- bought NetScreen two years protecting against zero-day early 2005 acquisition of available intrusion detection ago, giving the company the attacks. TippingPoint Technologies was system software, but with the ability to start taking market designed to be a key piece of its option to actively block attacks it share from Cisco in its core Symantec financial turnaround. Rather detects. The product can be enterprise market. The company Although aimed more at the than just absorb the company, acquired separately, but Cisco’s also acquired Funk Software for mid-tier, Symantec’s brand 3Com kept the TippingPoint vision of making security a $122m last November, giving it recognition and substantial brand and gave key executive fundamental component of the some more network access market clout give it a strong roles to its top technologists. network infrastructure means control technology. position in almost any During 2005, the company took the company is also making it security subsector. In IPS, the on ISS’s X-Force with the launch available across a large range of McAfee company released its first set of the Zero Day Initiative, which its other non-security platforms, Two years ago McAfee, realising of Symantec Network Security will pay hackers for finding such as the widely deployed it was becoming increasingly 7000 appliances in 2004, and vulnerabilities that its IPS Catalyst switch line. unfocused, sold off its non-core last year updated them to appliances can then protect. It businesses and announced it identify the telltale also stepped into the unified Internet Security was now in the intrusion characteristics of spyware and threat management space with Systems prevention space. Its botnet traffic, adding a new the launch of its X505 boxes, ISS is the father of the intrusion acquisitions of the IntruShield layer of protection against and, recognising concerns about detection systems market, first and Entercept product lines some of the newer threats to security devices as bottlenecks, selling its RealSecure IDS gave it preventative capabilities hit the Internet. Its acquisitions continued to ramp up its software ten years ago. Over at the host and on the network. last year of Sygate and hardware to handle tens of the last few years, the company In the last 12 months, building WholeSecurity give it some of gigabits per second of traffic. has refocused, adapting its on top of these platforms, the the technology building flagship software to work as an company has recognised the blocks to incorporate host- Check Point Software inline preventative measure, push towards network access based IPS into its expansive Technologies bringing all its IDS and IPS control systems, and announced line of security products, as Check Point’s $225m acquisition products under the Proventia its own offering in this emergent well as giving it a foothold in of Sourcefire promises to make branding umbrella. The market early this year. the nascent network access the Israeli company a leading company has expanded into control market. player in intrusion detection and vulnerability research and NFR Security prevention. Sourcefire’s close managed security services, but NFR last August upgraded its Top Layer Networks connection to the open source continues to expand upon IDS/IPS appliances to surpass Nine-year-old Top Layer has Snort IDS/IPS project means that Proventia. Last year, the the gigabit speed limit for the what it calls “three Check Point will get its hands on company came out with first time, and was to start dimensional protection”, a some of the most mature and behaviour-based antivirus selling a 10Gbps offering early marketing slogan to reflect broadly used software in the technology, which can be this year, potentially taking the the fact that not only does it market. The deal nicely deployed to the network or host company higher upmarket into have intrusion prevention in complements its acquisition two to block viruses without the the enterprise space, having the form of malicious code years ago of Zone Labs, the need for signature updates. It previously been excluded from blocking and a stateful leading host-based firewall also recently signed a deal to big accounts due to inspection firewall, it also vendor. These combined, and OEM Arbor Networks’network performance concerns. The offers denial-of-service attack leveraging the company’s anomaly detection system company employs eight mitigation services, using SmartDefense services and large software, giving it the potential intrusion detection techniques. traffic rate-based technology, firewall market share, means for a greater presence on the Its recently launched Dynamic which was its core founding Check Point is well-positioned in interior of enterprise networks. Shielding Architecture is technology. The company the IPS space. supposed to represent the believes it has found a sweet Juniper Networks company’s focus on protecting spot, protecting customers Cisco Systems It took a while, but Juniper is customers’networks from the against the newer types of Networking’s giant got into finally releasing enterprise vulnerability, rather than the attacks that combine intrusion prevention systems in networking gear that specific exploit: a strategy malicious code distribution January 2005, with the launch of incorporates the firewall and IPS shared with other vendors that and flood-based extortion.

CBR EXECUTIVE FOCUS • 2006 PATCH MANAGEMENT PATCH MANAGEMENT 51 Patch work Patch Tuesday may have made patching Microsoft systems a more regular occurrence, but that does not mean systems administrators can relax in-between. Kevin White reports on the importance of keeping systems up to date.

Patch management is a must-do job that programs and confirms that the deploy security patches and updates must be done well. It is not good enough personal firewall is valid. Altiris is from a variety of industry partners, and is for it to be carried out as a knee-jerk pushing a four-stage secure, audit, fix to bolster SMS with vulnerability reaction, or as a belated response to the and enforce (SAFE) regime as a means of assessment functions that build on latest vulnerability. IT shops are linking security policy to configuration existing SMS asset inventory features. increasingly pressed to offer the business management to support the process of Shavlik Technologies, which has to the urgent protection it needs against network quarantine and patching. date concentrated on patch management zero-day attacks. But IT also needs to be It mixes agent-based and agentless solutions for the Windows market, is conversant with the more regular routines systems’ monitoring techniques to also providing tools for the Unix and of Microsoft’s ‘patch Tuesday’ monthly provide the various remediation utilities Linux markets. security update cycle: the likely impact of that are needed by organisations to any mass attack against some Windows manage patch management tasks as VULNERABILITY PRIORITISATION vulnerabilities is simply too great to leave part of a broader remit defined by the to chance. security policy. BigFix is promoting its Vulnerability and Fortunately, there are numerous This is important as it does seem that Configuration Management Suite as a software tools that relieve some of the a good many IT departments are yet way administrators can prioritise fixes, burden of sourcing, deploying, tracking to build reliable patch procedures into patches, and other remedial actions and reporting patches. As well as the a systematic process that prevents according to a view of an asset’s specialist patch management suites outages and safeguards against any criticality to their business. The system supplied by the pure-play niche vendors disruption to service. CBR’s end-user will provide vulnerability severity BigFix, PatchLink or Shavlik, many of security survey showed that 38% of information as defined by the Common the software distribution and change organisations release patches as and Vulnerability Scoring System (CVSS) for management products of the when they see fit, with only 9% dealing operating system, configuration and mainstream server and desktop systems with patches regularly once a week and application vulnerabilities on Windows, management vendors have also been another 9% carrying out fixes once a Sun Solaris, and Red Hat Linux cast as patch management tools. month. It is an onerous task to apply the computers. hundreds of fixes that come out each CVSS promises to transform the way NETWORK QUARANTINE year for operating systems, applications in which network threats are evaluated and other programs, but an efficient and dealt with, in the way that the The recent addition by Altiris of Security patch management regime has become common rating system it provides makes Expressions is designed to provide an increasingly critical requirement. for a framework against which enterprises administrators with audit tools that help Patch management is a process that can start to prioritise their patch identify vulnerability hotspots across has to successfully bridge the activities routines. Currently, the lack of a common networked assets before they plan their of IT operations and the management of scoring system has security teams quarantine and patch management data security. It also calls for up-to-date worldwide trying to solve the same policies. The Expressions software asset information to assess which problems with little or no co-ordination, checks end-point devices for any systems need to be patched, wherever and often without any clear view of what unauthorised hardware or installed they are on the network and whatever the patch is urgent and which fix can wait. software, validates password and operating system platform. Microsoft As well as being able to deploy patches security configurations, runs scans to has begun to update its Systems reliably and scan distributed and verify the status of installed antivirus Management Server so it can be used to occasionally connected IT assets

2006 • CBR EXECUTIVE FOCUS 52 PATCH MANAGEMENT

HOW OFTEN DO YOU PATCH YOUR ENTERPRISE SYSTEMS?

As advised by vendors Once a quarter 28.0% 5.8%

Once a month 9.4%

Depends on service Once a week provider 9.4% 9.2%

As and when 38.2%

Source: CBR survey

accurately, the patch management networks if they are found to be network topologies and vulnerabilities, will process has to be able to sustain the uncompliant with security policies, such enable them to prioritise their responses reports that are needed to prove as having out-of-date antivirus software to threats. It uses data aggregation and compliance. PatchLink, for one, has or an unpatched operating system. collates it with an awareness of added a selection of management Symantec entered the space when it compliance requirements to enable features and reporting capabilities bought Sygate, and this year moved to prioritisation. Similarly, IDS/IPS vendor geared towards HIPAA, FISMA and put its NAC offerings into an easy to Internet Security Systems touts its Virtual Sarbanes-Oxley compliance that link into deploy security appliance. Sygate’s Patching capability as a first-response its Enterprise Reporting Server to provide system comprises a policy creation approach to threats. asset and vulnerability reports from a Faced with sector consolidation, the single console. independent patch management Similarly, Symantec’s acquisition last suppliers are slowly making a move into year of policy management vendor the anti-spyware sector. Anti-spyware is BindView brought with it a core set of getting the fullest of attentions of the security products seeded with all the antivirus software vendors, but it is also necessary compliance content for complementary to the process of patch organisations to be able to define a management and scans use a lot of the roadmap to compliance. It has since The independent patch same techniques for checking registry unveiled new software stemming from settings, altered files, and the like. An that deal that promises to automate the management suppliers unpatched software vulnerability is often mapping of regulatory ‘control the way a spyware program is installed on statements’ to actual network activities are slowly making a a target machine. such as patch management. Shavlik Technologies has its own The patch management sector has move into the anti- homegrown anti-spyware, NetChk consolidated quickly, driven by the big spyware sector. Spyware, that comes as a standalone security scanning software vendors who system and NetChk Protect, which have also started expanding their combines the anti-spyware with Shavlik’s portfolio through acquisition. This is patch management software sharing the particularly true in the related area of client, policy manager and various same management tool. Companies that network access control (NAC). enforcement agents, which sit on devices build their patching functions on top of NAC can ensure that unpatched checking policy and quarantining Shavlik’s technology include Symantec, systems do not connect to the network, computers to patch remediation servers BMC Software and NetIQ. Microsoft’s and it can be configured to provide if and when they do not meet Baseline Security Analyzer is also based updates to out-of-date systems requirements. A comparable system upon Shavlik software. automatically. This makes it ideal for comes from McAfee in the shape of its BigFix is taking a different approach to managing the security of laptops that ePolicy Enforcer product. the market, and one that focuses more on might otherwise not be updated by Security services providers such as the management overlay, rather than the organisations’ patch management Cybertrust are also getting in on the act detection engine itself, for which the systems. The NAC concept sees offering patch services that, by company has an OEM arrangement with computers isolated to quarantine aggregating data on its customers’ CA for its PestPatrol product.

CBR EXECUTIVE FOCUS • 2006 54 PATCH MANAGEMENT

Key players

Altiris application and inventory regarded as one of its strengths. The product suite is Altiris specialises in the tools management. Marimba Patch This identifies all devices with an particularly strong on asset that manage desktop software Management enables the IP address such as PCs, laptops, auto-discovery and inventory assets, ranging from asset management and deployment printers, routers and switches. audit features, sitting management to software image of security and functional An inventory is also created of alongside the ZENworks Asset deployment. It is also getting patches on servers, desktops all software installed on each Management portfolio, which into software virtualisation, an and laptops across the enterprise. device that is discovered. The came with Novell’s acquisition approach that decouples the associated Security Suite is of Tally. application from the operating CA designed to enable systems and which it is applying Unicenter Patch Management is administrators to perform PatchLink to remote desktop management. at the core of the company’s system inventory, identify PatchLink develops patch, Over the past five years the offering for software patch vulnerabilities, and test and vulnerability and compliance Altiris portfolio of systems tools management, but for a couple of deploy fixes, as well as remove management software and has been extended through years CA has also had a and block spyware and malware has been in fixed-network product development and Vulnerability Manager appliance. programs from a single suite. patch management since acquisition to handle most aspects This identifies security 1999. Its unique patch of the lifecycle management of vulnerabilities and then helps Microsoft fingerprinting technology is a desktop assets, including asset streamline the process of With 99% of the world’s core component of the management, software image rectifying them by changing organisations using some form company’s PatchLink Update deployment, patch and configurations or applying of Microsoft platform, every flagship product. The vulnerability management and patches. The inclusion of a new vulnerability that appears software downloads all issued service desk automation. software delivery component of will affect every security patches from major CA’s flagship Unicenter software administrator. The company technology vendors into a BigFix allows Vulnerability Manager to started almost a year ago to give secure repository, tests each BigFix claims that over 350 provide remediation as well. The a few days’advance guidance on patch against over 250 enterprises and government company has gone even further its patch release schedule, along standard images, searches out agencies across a wide range of with this and now also sells an with some assessment of the where vulnerabilities exist on industries use its security eTrust Managed Vulnerability likely severity of its impact on a network and then schedules configuration management. Service, as a 24x7 subscription- the security infrastructure. a deployment of the required Although it started life as a patch based service for detecting and Microsoft now releases previews patches. Lately it has management vendor, BigFix has remediating vulnerabilities of its patches on the Thursday extended its capabilities into been trying to extend its market remotely. before the second Tuesday of enterprise mobility, with the footprint with a unified security, each month, to give launch of client versions for configuration and systems IBM administrators a chance to plan the leading PDA and smart management suite. It delivers IBM Tivoli Intelligent Orchestrator their Patch Tuesday workloads. phone platforms. real-time visibility and control of and IBM Tivoli Provisioning It still delivers fixes on an ad hoc static and mobile computing Manager are two products in the basis and will also issue patches Shavlik Technologies assets, and helps enterprises IBM arsenal that can be used to in bundled chunks that cannot A company best known for manage regulatory compliance assist in the operating system be separated, rather than providing Microsoft-based and corporate governance and application patch addressing each vulnerability security solutions to fortune across distributed networks. Its management cycle. The flagship separately. The firm said this is 500 and medium-sized systems manage patching and Tivoli Configuration Manager is to increase the speed of businesses, Shavlik is making vulnerability management most commonly used to download and ease of patching, a push into the broader routines, security policy and automate fixes for Microsoft but bundling is also good for markets of combined anti- end-point controls, antivirus, environments as part of a saving face by keeping big spyware and patch and spyware programs, from a process of managing inventory, numbers out of headlines. management software, Unix single console. software distribution and patch and Linux. Founded in 1993, management processes. The Novell the company started to help BMC system obtains software patch Novell’s ZENworks Patch set the pace in its sector by Systems management software signature files and distributes Management suite will providing scanning vendor BMC paid $239m for an them to client machines. It then automatically apply fixes across technology that ties directly entry ticket to the broad change rescans the client machines to Windows, NetWare, Macintosh, to Microsoft’s security patch and configuration sector when it verify successful installation and AIX, Solaris HP-UX and other XML database. Its systems let bought Marimba, the software update the inventory. operating systems. Its ZENworks administrators work with distribution company. Marimba’s suite is being augmented, not patches in a variety of ways, functionality covers areas such LANDesk only for single-console according to the type of as inventory, provisioning, LANDesk’s core Management management of multi- patch, their criticality, packaging, configuration, and Suite product incorporates an operating system platforms, but machine grouping and auditing and repair, as well as auto discovery feature, which is also to support mobile devices. deployment processes.

CBR EXECUTIVE FOCUS • 2006 SECURITY GOVERNANCE SECURITY GOVERNANCE 59

The vast complexities of compliance look daunting, but in Policy the context of IT the issue comes down to matters of reporting and of governance. Kevin matters White reports.

For the past two or three years IT vendors compliance guidelines to existing or new service levels. The system will also track have been falling over themselves to bring IT audit controls. It will also provide a the impact of a change from test through to market new compliance tools that centralised audit system to prevent deployment and production, maintaining organisations can use to prove the tampering of records by requiring digital an audit trail all the while. integrity of their business processes and signatures for each administrative action. Software like Mercury’s falls into a procedures, and the robustness of their IT Finally, it will provide the scheduled or ad relatively new category of emerging infrastructure and practices. hoc reports that are deemed necessary to compliance solutions that has been The technologies of access control satisfy the auditors. fostered mostly by Niku, the project and data security, business process The enhanced HP OpenView Select portfolio management software supplier management and process automation, Identity suite reduces the burden of that was acquired last year by CA. Before and document and records management change and compliance management it was acquired Niku had successfully can all come into play. But software tools processes, by reducing the documentation morphed its once project manager alone are insufficient. As well as having overhead when systems and applications software into a modern web-based tool the right systems to maintain control and are added, upgraded or retired. But it will for IT governance. compliance, the correct checks and also prevent changes that are not aligned The company line is that IT balances are needed in the shape of with documented policy statements or governance software has a key role to some well-defined business rules and a change control processes. play in helping companies achieve clear policy statement. Control of the change management legislative compliance by providing them The latest products reflect this need process has been an objective for with a broad view of their IT investments. and combine the necessary software Mercury Interactive during the Whether it is SOX, Basel or HIPAA, there tools with a process framework designed development of its IT governance are issues with compliance that stem to help organisations translate what often portfolio. The vendor’s BTO (Business from being able to exert the correct can be ambiguously worded regulations Technology Optimisation) branded controls over the business. into actionable IT controls that will governance offering is positioned against CA Clarity, as the Niku line is now demonstrate compliance. Typical of this three other essential control modules branded, provides an overall governance trend is the latest version of Hewlett- addressing quality, performance and view of what is going on in the enterprise, Packard’s identity management suite. business availability. but can also be used to give visibility and It comes as a bundle of access The governance software is designed control of IT projects and processes at control, identity federation, provisioning to give executives concurrent views into the planning and operational level. As and auditing software, together with a changes to any software or process that is such, these tools provide a useful visual modelling framework that maps likely to impact quality, performance or intelligence feed to the CIO’s office,

2006 • CBR EXECUTIVE FOCUS 60 SECURITY GOVERNANCE

where corporate responsibility for WHO DRIVES COMPLIANCE WITHIN YOUR compliance seems to rest. According to CBR’s end-user survey, ORGANISATION? 43% of CIOs and IT directors are 10 20 30 40 50 held responsible for driving their 0 organisation’s compliance initiatives. CEO 14.03% Only 23% of organisations have appointed a compliance office. Financial director 12.47% Not surprisingly, given that offerings like CA Clarity have originated from Compliance unit/officer 22.86% the project and asset management worlds, these tools can prove very CIO/IT director 42.6% effective at providing resource-focused views on IT governance. This is essential Other IT staff 14.03% if the cost of compliance management is to be contained. Other business staff 5.97% REGULATORY COMPLIANCE No one 4.16% It is said that a business with revenue of Source: CBR survey $5bn can expect to spend $10.5m on average meeting its compliance obligations. That is one good reason why provided the antivirus company with a Compliance Manager acts as an early many organisations are now committed new set of products that have warning system against policy violations to automation, and why vendors such as comprehensive compliance content in that it first identifies security RSA Security and Symantec are behind already included. They are seeded with vulnerabilities and then, by integrating software developments intended to strip templates that map the IT controls with Tivoli’s other automated security out some of the costs of meeting needed to comply with regulations such management tools, goes on to help regulatory commitments. as Sarbanes-Oxley, FISMA, HIPAA, Basel mediate security policy violations. Again, One of the top requirements for passing II and GLBA. These systems are it comes with templates in the form of an audit is demonstrating control over user described as producing a roadmap to pre-defined recommended security access of IT infrastructure and the change compliance. The Bindview products apply policies for mandates such as SOX or management process. In this light, the a built-in knowledge of some specific HIPAA but these can also be customised triple-As of authentication, authorisation regulation to one or more of the industry- to fit specific regulatory, industry or and access control are strong elements in accepted frameworks such as ISO 17799, corporate security policies. any security policy and will be at the NIST SP800-53 or COBIT. forefront of any compliance program. COBIT is an IT governance framework INFRASTRUCTURE MANAGEMENT Enterprises traditionally use strong and supporting toolset that allows IT and authentication for remote access users, business managers to bridge the gap IBM maintains that the impact of a but they are starting to deploy it at the between control requirements, technical mandate like SOX can ripple out across desktop level and eventually out to issues and business risks. Now in version an organisation and its systems will customers and consumers. Banks in the 4.0, it has just been upgraded with a automatically scan all servers and US have new regulations compelling them stronger business focus and some inbuilt desktop systems for changes. It will to offer two-factor authentication to their governance practices. reconcile any state changes and monitor users. And ecommerce companies face The refinements are intended to deviations from a centrally held policy. the threat of losing brand value, if not reflect changes in the way businesses The complementary Tivoli ID revenue, to various forms of fraud. operate, such as the need to provide Management and Access Manager suites They are looking to the likes of RSA management and control guidance can be set up to control and report on Security for soft tokens that integrate that is suitable for the current IT what any individual user does on the with the web browser and can be used to operational environment and which also network, which resources they attempted authenticate log-ins or transactions. meets the needs of regulators, security to access, and where they have been Vertical industry mandates such as those professionals and auditors. successful. Clearly, the management of being addressed by the Payment Card One demand from compliance the security policy needs go hand in hand Industry data security guidelines, are auditors will be for consistency. There is a with the management of the underlying other drivers. The PCI guidelines set by need to ensure that they are able to infrastructure hardware systems, the likes of Visa, MasterCard and compare like with like, and that any databases and applications. American Express require merchants to changes or required improvements in the As a result, most security software have the security of their key storage and enterprise security posture are visible vendors will provide hooks or relays into processes to be auditable. RSA’s software and easy to track. IBM maintains that its the popular systems management will plug into point-of-sale and CRM Tivoli Security Compliance Manager frameworks that are deployed across applications to manage transaction helps organisations define consistent most large organisations. These relays encryption that would comply with credit security policies. Its other use is in will trigger alerts at a console, send an card company guidelines. monitoring the application of the very alarm to the appropriate personnel, or The acquisition last year by Symantec security policies that set the tone of an issue a report to indicate that a policy of policy management vendor BindView organisation’s risk posture. violation has occurred.

CBR EXECUTIVE FOCUS • 2006 62 SECURITY GOVERNANCE

Key players

Altiris Elemental Compliance System service assurance’. It resells the portfolio that extends from Fast growing systems combines policy management, FullArmor policy management security to storage and management specialist Altiris host configuration and network administration product and its archiving and onto systems has expanded beyond its change access control functions in one own Group Policy Suite, as a management. It also wants to and configuration management package. Security administrators means of better managing supply software support roots in the last 18 months create policies that are pushed security controls mandated in systems that will provide IT thanks to a number of out to their endpoints, where enterprise security policy shops with the maps they acquisitions. Following the they are enforced. The first documents across an Active need to steer compliance, and purchases of Wise Solutions in version of the software shipped Directory environment. other programs that will December 2003, FSLogic in with 1,700 common policy rules Administrators can create automatically map an February 2004, Bridgewater to choose from, and more are to multiple group policy objects application based on the Technologies in September be added. (or GPOs, key components of infrastructure on which it 2004, and Tonic Software in Active Directory) to enforce the runs. Lately it has started to January 2005, March 2005 saw Mercury Interactive same policies with different market new software the company snap up IT governance software vendor settings to accommodate a stemming from the Bindview vulnerability management Mercury has had governance variety of network scenarios. deal that promises to player Pedestal Software for problems of its own, with the automate the mapping of $65m, adding compliance company having to let go some Secure Computing regulatory ‘control statements’ software to its portfolio. The top officials last year in the The company has recently to actual network activities. purchase led to the release of aftermath of an SEC-prompted acquired rival firewall vendor Security Management Suite two internal report over questionable CyberGuard, which also has a Websense months later. options practices between 1996 strong pedigree in developing Enterprise web filtering and and 2002. It is in the middle of a security policy management security vendor Websense CA strategy to go upmarket from systems. The aim of such policy maintains that the CA created a Business Service software testing tools to IT control systems is to provide management of workers’ Optimisation unit last year governance, where it competes administrators with a 360- online activities is an signalling a new focus for the mostly with the latest CA degree view of all network important aspect of company which will build on the acquisition target, Niku. activity. The aim is for a single compliance control. Its data its existing lifecycle and systems Mercury’s umbrella Business managed environment where will feed into security event management products to target Technology Optimisation suite the security policy extends to management products like BSO via business process comes fitted with the latest the edge and the rules can be those of Network Intelligence. modelling, IT service dashboard views so that IT enforced in an orchestrated Organisations will be able to management, enterprise change governance information is more fashion. Administrators could track employee Internet management and IT readily shared with software drill down into alerts to view the usage patterns alongside the governance. CA believes its teams in the trenches, while the associated network events and other network and perimeter acquisition of Niku will allow it to project management office generate reports to perform security data sources being compete more effectively gains more current views on the forensic analysis. The Global monitored as part of their against fellow competitors health of software in the Command Center is built security information event including Mercury Interactive, portfolio. The software also around a quartet of management regime. The IBM and Compuware. The comes with an accelerator management modules for company maintains the steps merger could pose problems for module, which comprises a set configuration management will help customers to Mercury, which has one of the of template-driven guidelines tasks such as policy control, VPN develop a complete view of most comprehensive offerings in for how companies should go modelling and role-based security events across the the industry and will now have about adapting their IT administration, security event entire enterprise and support to contend with a company the functions to comply with management, log management new compliance efforts of size of CA. regulations such as Sarbanes- duties such as collection and businesses needing to meet Oxley and HIPAA (Health storage of reports, and patch emerging regulatory Elemental Security Insurance Portability and and licence management. obligations such as Fisma in Elemental touches on several Accountability Act). federal circles or PCI in the markets, such as patch and Symantec retail industry. The latest network management, but the NetIQ A couple of years ago version of its enterprise web start-up competes most directly Systems and security Symantec’s revenue stream was filtering and security platform against policy management management software vendor divided pretty much equally boasts broader management vendors such as Symantec’s NetIQ has undergone something between enterprise and of workers’online activities, BindView and NetIQ in the way of a transformation by divesting consumer sales, but a series of both onsite and remote, and its systems can help companies itself of some elements of its acquisitions has indicated that includes email and onscreen comply with their internal broad portfolio to concentrate Symantec wants increasingly to alerting of activities that fall security policies and external on a strategy to provide systems be seen as a software supplier to outside an enterprise’s regulatory pressures. The to support ‘knowledge-based big business with a product established policy parameters.

CBR EXECUTIVE FOCUS • 2006 64 COMPANIES A-Z/INDEX

3Com 46 Hewlett-Packard 12, 14 NFR Security 46 Access & ID management 14 Host intrusion prevention Nokia 38 Altiris 51, 62 systems (HIPS) 43 Novell 54 Anitvirus 17 IBM 12, 14, 54, 60 PatchLink 51, 54 Big Fix 51, 54 Imprivata 12 Patch management 51 BlackSpider 20 Internet Security Systems 43, 46 Postini 20, 22, 30 BlueCat Networks 35 Intrusion prevention/detection 41 RSA Security 12, 60 BMC Software 12, 14, 54 Ironport Systems 30 Secure Computing 30, 38, 62 CA 14, 54, 62 Juniper Networks 11, 20, 36, 38, 46 Security Governance 59 Check Point Software Technologies Kaspersky 22 Shavlik Technologies 51, 54 38, 43, 46 LANDesk 54 SonicWALL 38 CipherTrust 30 McAfee 20, 22, 35, 44, 46, 52 Sophos 22, 30 Cisco Systems 14, 20, 36, 38, 46 Mercury Interactive 59, 62 Sourcefire 43 Content filtering 27 MessageLabs 20 Symantec 14, 20, 22, 30, 44, 46, 52, 60, 62 CrossBeam Systems 38, 43 Microsoft 11, 22, 30, 51, 54, 44 Top Layer Networks 46 Elemental Security 62 NetIQ 12, 14, 62 Trend Micro 20, 22, 30 Entrust 12 Network access control (NAC) 11, 52 Trusted Computing Group 12, 14 F-Secure 20, 22 Network anomaly detection systems 43 Verisign 12 Firewalls 33 Network intrusion prevention WatchGuard Technologies 38 Fortinet 30, 38 systems (NIPS) 43 Websense 30, 62

CBR EXECUTIVE FOCUS • 2006 66

EDITOR: Jason Stamper DEPUTY EDITOR: Matthew Aslett CONSULTANT EDITORS: COMPUTER SERVICES: Nick Mayes Patrick O’Brien Ed Thomas Patrick Wachter EBUSINESS: Madan Sheina Angela Eager SUBSCRIPTION APPLICATION FINANCIALS: Brian White Computer Business Review is published monthly by Datamonitor plc. Tom Jowitt The UK edition costs £75 a year; the European edition costs £125 a year. Please INFRASTRUCTURE: complete this form to start your subscription, or to apply for your free trial. Kevin White Timothy Prickett Morgan NEWS REPORTING: Rik Turner Kevin Murphy K Please start my free trial of Computer Business Review. Rhonda Ascierto I understand that I am under no obligation to purchase a STORAGE: Tim Stammers subscription at the end of this period. PRODUCTION EDITOR: Alison Sleeman K I would like to subscribe to Computer Business Review. ART and DESIGN: Helen Amy ILLUSTRATIONS: Julian Puckett Please start my subscription immediately. HEAD OF SALES: Aziz Rahman K I enclose my cheque (payable to ComputerWire) for £75/£125. DEPUTY ADVERTISING MANAGER: Simon Foxwell K Please invoice me for £75/£125. My purchase order number is: ACCOUNT MANAGER: Matti Reinholtz ACCOUNT MANAGER: Malcolm Wells K Please charge my credit card (AMEX/DINERSCLUB/MASTERCARD/VISA – ONLINE SALES MANAGER: Please circle one Jamie Finlinson ): NORTH AMERICAN SALES, AVANI INTERNATIONAL MARKETING, NUMBER: LLC: EXPIRES: WEST COAST: Leslie Hallanan +001 415 388 1685 (phone) NAME: [email protected] PRODUCTION MANAGER: COMPANY: Claire McSweeney SUBSCRIPTION ENQUIRIES: JOB TITLE: Sabeena Lalwani PUBLISHER: Jake Sharp ADDRESS: MANAGING DIRECTOR: Rob Norton

Computer Business Review is published monthly by Datamonitor.Computer Business Review is registered at the Post Office as a newspaper. ISSN 1350-4665. POSTCODE: All material © Datamonitor plc 2006 No part of this publication may be reproduced, DATE: TELEPHONE: stored in a retrieval system or transmitted in any form by any means,electronic,mechanical, EMAIL: photocopying,recording or otherwise,without the prior permission of the publisher, SIGNATURE: Datamonitor.

Business Review,Charles House, 108-110 Finchley Road,London NW3 5JJ Send to: Editorial:+44 (0)20 7675 7000 Computer Business Review Advertising:+44 (0)20 7675 7905 ComputerWire, Charles House Subscriptions:+44 (0)20 7675 7958 108-110 Finchley Road, London NW3 5JJ Fax:+44 (0)20 7675 7450 Email:[email protected] or contact Sabeena Lalwani on Tel: +44 (0)20 7675 7958 Fax: +44 (0)20 7675 7450 SOURCE CODE: SPC00

CBR EXECUTIVE FOCUS • 2006